It's hard to reliably binary patch something unknown ahead of time.
All Trezor would need to do is change the compilation options on a fairly regular basis, and any patching will fail.
Combine with the fact there is a reward to send in devices means they can analyze any evil devices and make sure their instructions to users will reliably detect all evil devices they're aware of.
Still doesn't stop supply chain attacks, but makes them far harder.
